Cybercriminals Use Legitimate Tools in APT Attacks, Experts Say

Trend Micro experts say that cybercriminals are turning more and more to legitimate tools in their advanced persistent threat (APT) attacks. The main concern is that some of these tools are “greyware” and they’re not always detected by security solutions.

An additional benefit from using such tools is that the cybercriminals don’t go through the trouble of creating their own.

According to experts, cybercriminals are using tools designed for password recovery, user account cloning, file manipulation, job scheduling, FTP transfers and data compression.

For instance, attackers are using compression tools, such as the popular WinRar, to archive multiple stolen files before uploading them to a remote server they control.

Scheduled job tools can be utilized to disable software updates to make sure the targeted system remains vulnerable, or to program various malicious tasks, such as stealing files.

File manipulation tools can be successfully used to delete certain components in an effort to hide their tracks, or to search for certain files.

So what can organization do to identify an APT that relies on such tools?

Experts say that most of them are command line tools, so checking for unknown command shell processes can help an organization identify an attack before too much damage is caused.

Furthermore, the presence of tools, regardless whether they’re legitimate or not, could be a sign of compromise. Odd-looking files names are another tell-tale sign, since hackers often give their files apparently random names or fake extentions.

Since FTP connections are often used by cybercriminals, it’s important for IT teams to pay attention to network logs.

Finally, reviewing scheduled jobs is highly recommended.

“Scheduled jobs are a common auto-start method not only for APTs, but to malware in general. Scrutinizing the properties of scheduled jobs will not only allow you identify infection, but will also most likely help you identify components of the attack through the files they execute,” Trend Micro Threat Researcher Roland Dela Paz explained.